Exploring the CPDoS attack on CDNs: Cache Poisoned Denial of Service

Two researchers from the Technical University of Cologne (TH Koln) have devised a new web attack that can be used by threat actors to poison content delivery networks (CDNs) into caching and then serving error pages instead of the legitimate content.

The new attack has been named CPDoS (Cache-Poisoned Denial-of-Service), has three variants, and has been deemed practical in the real world (unlike most other web cache attacks).

The content displayed in most of the websites is stored on web servers while the CDNs maintain a cached copy that is periodically refreshed.

Web servers store the original website and its content, while CDNs store a cached copy of the website that is only refreshed at certain time intervals.

Web caching mechanism allows reusing HTTP responses to reduce the number of requests that reach the origin server, the volume of network traffic resulting from resource requests, and the latency of resource access

Experts pointed out that an attack on a CDN system can have devastating consequences for the availability of websites.

A CPDoS attack (Cache-Poisoned Denial-of-Service) targets this mechanism, it aims at CDNs that receives and stores an error page caused by a malformed HTTP request header.

The result of the attack is that when users try to access the same resource are served the cached error page.

Below the attack flow described by the researchers:

An attacker sends a simple HTTP request containing a malicious header targeting a victim resource provided by some web server. The request is processed by the intermediate cache, while the malicious header remains unobtrusive.

The cache forwards the request to the origin server as it does not store a fresh copy of the targeted resource. At the origin server, the request processing provokes an error due to the malicious header it contains.

As a consequence, the origin server returns an error page which gets stored by the cache instead of the requested resource.

The attacker knows that the attack was successful when she retrieved an error page in response.

In the HHO attack scenario, hackers leverage the size limit intermediary systems and web servers set for an HTTP request header. The HTTP standard does not define a size limit for HTTP request headers this means that if the cache system accepts a request header size larger than the one the origin server can manage it is possible to cause webserver blocking the request and returning a 400 Bad Request error page that is then cached.

“HHO CPDoS attacks work in scenarios where a web application uses a cache that accepts a larger header size limit than the origin server.” reads the post published by the researchers.

“The cache forwards this request including all headers to the endpoint since the header size remains below the size limit of 20,480 bytes. The web server, however, blocks this request and returns an error page, as the request header exceeds its header size limit. This error page with status code 400 Bad Request is now stored by the cache. All subsequent requests targeting the denialed resource are now provided with an error page instead of the genuine content.”

Experts published a video PoC for this attack that shows them targeting a testing application hosted on Amazon CloudFront.

The second variant of CPDoS attack, the HTTP Meta Character (HMC), leverages a harmful meta character such as control characters like the break/carriage return (‘\n)’, line feed (‘\r’) or bell (‘\a’).

“The HTTP Meta Character (HMC) CPDoS attack works similar to the HHO CPDoS attack. Instead of sending an oversized header, this attack tries to bypass a cache with a request header containing a harmful meta character.” continues the experts.

The third variant of the attack, the HTTP Method Override Attack (HMO, benefits from intermediary systems (e.g. proxies, load balancers, caches, firewalls) supporting only the GET and POST HTTP request methods.

“This means that HTTP requests with DELETE and PUT are simply blocked. To circumvent this restriction many REST-based APIs or web frameworks such as the Play Framework 1, provide headers such as X-HTTP-Method-Override, X-HTTP-Method or X-Method-Override for tunnel blocked HTTP methods (see Listing 1).” explained the security duo. “Once the request reaches the server, the header instructs the web application to override the HTTP method in the request line with the one in the corresponding header value.”

As result, the web server reply with an error message that is cached and served for subsequent valid GET requests for the same resource.

Experts explained that a CPDoS attack can impact multiple cache server locations worldwide, however not all edge servers are affected.

Researchers made some tests using the TurboBytes Pulse and the speed testing tool of KeyCDN. Launching an attack from Frankfurt against a target in Cologne, they observed that cache servers across Europe and some regions of Asia were impacted.

Experts also described mitigations in their research paper, for example, HHO and HHM variants could be addressed by correctly implementing the standard HTTP which, by default, does not allow storing responses that contain error codes.

Technical details, including the list of vulnerable CDNs are included in the paper published by the experts.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.